071164ddf0c732062c9e265e0cbf2b17de101e77e7acbe75efedf2717716c723

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 04:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e1358a4329a1f89efcecfc906163e8b.exe
Size

422KB
MD5

0e1358a4329a1f89efcecfc906163e8b
SHA1

65fe81d71c3cd6010977addcf8d6c09936a4cf69
SHA256

071164ddf0c732062c9e265e0cbf2b17de101e77e7acbe75efedf2717716c723
SHA512

a1464e4943fb58ec96a61efba7bc4131709ae24771229e8c2830f275ba82693f05bc5576c2e11c847dcbeb2513d1748094a1cdfe6548eee9083124cbca837832
SSDEEP

6144:1fv08mJ7CuXCAPHQ/xjLqdjY4/ea2L/LcVx8Ny9uAJmEcZw9OAO5:1fd8SAfuLqdjqa2L4kU9uAkEcZyO

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\ProgramData\\mE37001PmPjE37001\\mE37001PmPjE37001.exe"	0e1358a4329a1f89efcecfc906163e8b.exe

Deletes itself 1 IoCs

pid	Process
3032	mE37001PmPjE37001.exe

Executes dropped EXE 1 IoCs

pid	Process
3032	mE37001PmPjE37001.exe

Loads dropped DLL 2 IoCs

pid	Process
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2988-1-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/2988-10-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/2988-30-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/3032-31-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/3032-38-0x0000000000400000-0x00000000004D2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\mE37001PmPjE37001 = "C:\\ProgramData\\mE37001PmPjE37001\\mE37001PmPjE37001.exe"	mE37001PmPjE37001.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe
2988	0e1358a4329a1f89efcecfc906163e8b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	0e1358a4329a1f89efcecfc906163e8b.exe
Token: SeDebugPrivilege	3032	mE37001PmPjE37001.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 3032	2988	0e1358a4329a1f89efcecfc906163e8b.exe	32
PID 2988 wrote to memory of 3032	2988	0e1358a4329a1f89efcecfc906163e8b.exe	32
PID 2988 wrote to memory of 3032	2988	0e1358a4329a1f89efcecfc906163e8b.exe	32
PID 2988 wrote to memory of 3032	2988	0e1358a4329a1f89efcecfc906163e8b.exe	32

C:\Users\Admin\AppData\Local\Temp\0e1358a4329a1f89efcecfc906163e8b.exe
"C:\Users\Admin\AppData\Local\Temp\0e1358a4329a1f89efcecfc906163e8b.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\ProgramData\mE37001PmPjE37001\mE37001PmPjE37001.exe
  "C:\ProgramData\mE37001PmPjE37001\mE37001PmPjE37001.exe" "C:\Users\Admin\AppData\Local\Temp\0e1358a4329a1f89efcecfc906163e8b.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mE37001PmPjE37001\mE37001PmPjE37001.exe

Filesize
422KB

MD5
2a6dbe349b1cc298f34ba95283afffe8

SHA1
6dd68bbfd937cf176764aeb504617f32db18c427

SHA256
648529bcfa6369a1b7ca03bc163956548bd1d4f0308af352b0155ca3c797556b

SHA512
ad89c20820edef0fbbd481215ce9c62af88d3d9ee9834bc7e964e1775c4ff3acf30744546dbd1878764f5b700fca9281be0fb65334c1feb0e4cff5569ca37c79

Download Submit
memory/2988-0-0x0000000000200000-0x0000000000203000-memory.dmp

Filesize
12KB

Download
memory/2988-1-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2988-10-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2988-30-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3032-31-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3032-38-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download